Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10823

CVE-2026-10823: YMC Filter WordPress Info Disclosure Flaw

CVE-2026-10823 is an information disclosure vulnerability in the YMC Filter WordPress plugin that lets unauthenticated attackers access private posts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-10823 Overview

CVE-2026-10823 is a broken access control vulnerability in the YMC Filter WordPress plugin before version 3.11.3. The plugin exposes a REST API endpoint that does not properly authorize access and fails to validate a user-supplied query parameter. Unauthenticated attackers can send crafted requests to retrieve titles and content of private, draft, and other non-public posts. The flaw affects confidentiality only, with no direct impact on integrity or availability. Site owners using the plugin for content filtering on WordPress sites are exposed to disclosure of unpublished editorial content, internal notes, and other restricted material stored as posts.

Critical Impact

Unauthenticated remote attackers can read private, draft, and other non-public WordPress post content through an unauthorized REST API endpoint.

Affected Products

  • YMC Filter WordPress plugin versions prior to 3.11.3
  • WordPress installations exposing the plugin's REST API endpoints
  • Sites relying on WordPress post visibility (private, draft, pending) for confidentiality

Discovery Timeline

  • 2026-06-26 - CVE-2026-10823 published to NVD
  • 2026-06-26 - Last updated in NVD database

Technical Details for CVE-2026-10823

Vulnerability Analysis

The vulnerability is a broken access control issue in one of the plugin's REST API endpoints. The endpoint performs no authorization check to confirm the caller is entitled to read non-public posts. It also fails to validate a user-supplied query parameter that controls which posts are returned. An attacker can manipulate this parameter to request posts with visibility states such as private, draft, pending, or future. WordPress ordinarily restricts such content to authenticated users with appropriate capabilities like read_private_posts or edit_posts. The plugin bypasses these checks by returning post titles and content directly from its endpoint response.

Root Cause

The root cause is a combination of two defects. First, the affected REST route lacks a permission_callback that verifies user capability, or the callback returns true unconditionally. Second, the endpoint accepts a query parameter that selects post status without sanitizing or restricting it to public statuses. Together these gaps allow anonymous requests to enumerate protected content.

Attack Vector

The attack vector is remote and requires no authentication or user interaction. An attacker sends an HTTP GET request to the vulnerable REST endpoint with a manipulated status parameter. The endpoint responds with a JSON payload containing titles and body content of matching non-public posts. No special tooling is required beyond a standard HTTP client. Exploitation leaves standard web server access log entries but no application-level authentication traces.

The vulnerability is described in prose as no verified proof-of-concept code has been published. Refer to the WPScan Vulnerability Report for additional technical detail.

Detection Methods for CVE-2026-10823

Indicators of Compromise

  • Unauthenticated HTTP requests to /wp-json/ routes registered by the YMC Filter plugin, particularly those including a post status query parameter
  • Access log entries returning HTTP 200 with large JSON payloads to REST endpoints from clients that never authenticated
  • Requests containing parameter values such as status=private, status=draft, or status=pending

Detection Strategies

  • Inventory WordPress installations and identify sites running YMC Filter below version 3.11.3
  • Review web server and WordPress access logs for anonymous calls to the plugin's REST routes returning non-public post data
  • Deploy a web application firewall rule that blocks unauthenticated REST requests referencing non-public post statuses

Monitoring Recommendations

  • Alert on spikes of anonymous traffic to /wp-json/ endpoints exposed by the plugin
  • Monitor outbound response sizes from REST routes to detect bulk content extraction
  • Correlate REST endpoint access with subsequent appearance of internal content on external sites or paste services

How to Mitigate CVE-2026-10823

Immediate Actions Required

  • Update the YMC Filter plugin to version 3.11.3 or later on all WordPress sites
  • Audit private, draft, and pending posts for sensitive content that may have been exposed
  • Rotate or redact any credentials, tokens, or non-public information stored inside affected posts

Patch Information

The vendor has released version 3.11.3 of the YMC Filter WordPress plugin, which enforces proper authorization on the affected REST API endpoint and validates the post status query parameter. Administrators should apply the update through the WordPress plugin manager or by deploying the fixed release from the official plugin repository. Verify the installed version after update by reviewing the plugin metadata in wp-admin/plugins.php.

Workarounds

  • Disable or remove the YMC Filter plugin until the patched version can be deployed
  • Restrict access to /wp-json/ REST routes at the reverse proxy or WAF layer for unauthenticated clients
  • Move sensitive content out of WordPress draft or private posts until remediation is confirmed
bash
# Example WP-CLI command to update the plugin to the fixed version
wp plugin update ymc-filter --version=3.11.3
wp plugin get ymc-filter --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.